[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL Question 'write stop' 'write break'



slapd -d acl (or the same through loglevel directives) is really helpful if you're not already using that...

First off, "attr=" is not preferred, please see slapd.access man page. This should be logged at LDAP_DEBUG_ANY; are you reading your startup logs? You might as well do a "slaptest -d config" while you're at it, to make sure everything is clean.

So when you uncomment your first stanza and consider the second stanza too:

access to dn.regex="mail=.*.managed@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US"
  attrs=userPassword,accountstatus
  by dn="mail=john@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US" write break
  by dn="mail=sara@jointhegrid.com,ou=user,ou=jointhegrid,o=jointhegrid,c=US" write break
access to attr=userPassword
  by self write
  by anonymous auth
  by dn="mail=samba@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US" read
  by dn="mail=samba@jointhegrid-inc.com,ou=user,ou=jointhegrid-inc.com,o=jointhegrid,c=US" read
  by * none

you're not giving john@ and sara@ your desired write access? I think that although rule #1 may will fire and grant them write, rule #2 has "to *" as the implicit target (IMO a best practice is to write these out), so it will fire as well. The first four <by> will not apply to john@ and sara@, so the final <by> will fire ... by * none. ACL #1 giveth, ACL #2 taketh away. I think a first consideration would be giving john@ and sara@ "write stop" instead of "write break" -- the break means to continue evaluation, whereas "stop" will not let ACL #2 remove the effect of ACL #1.

by * break

Also IMO best practice, "by * none break" (or whatever level you want) to make the level explicit. And you'll obviously need to keep this; otherwise .*managed will never be able to auth (they have to get to ACL #2 <by> #2 by means of a "break" or ACL reordering).